A method for encoding domain name information into flow records includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database. The domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for encoding domain name information in flow records by a network monitoring device coupled to a monitored network comprising a plurality of network devices, the method comprising: receiving a selectable set of flow criteria from a user via a graphical user interface (GUI) specifying flow information to be encoded in received flow records wherein the selectable set of criteria includes identifying network traffic growth of at least one identified domain over a specified time period; receiving a flow record in a flow analysis engine of the network monitoring device configured to receive standard flow records from network devices and identify map domain name information to source and destination address information contained in received standard flow records, the flow record including initial network flow information in a flow record format comprising at least a source address and a destination address; retrieving domain name information associated with each of the source address and destination address from a database; retrieving information responsive to the user selected set of flow criteria; retrieving policy information from a database associated with the received flow record; encoding the domain name information, retrieved information responsive to the user selected set of flow criteria and retrieved policy information in an encoding and distribution engine of the network monitoring device for encoding the received standard flow records with the identified map domain information and retrieved policy information in the received flow record while maintaining the initial network flow information to yield an enhanced flow record; and distributing the received flow record having the encoded domain name information and policy information to entries identified in a distribution list database of the network monitoring device.
2. The method as recited in claim 1 , wherein the retrieved domain name information comprises one or more fully qualified domain names.
3. The method as recited in claim 1 , wherein the enhanced flow record is a flow record following customized Netflow format.
4. The method as recited in claim 1 , wherein the domain name information includes a domain name suffix string and wherein retrieving the domain name information comprises filtering the retrieved domain name information based on one or more domain name suffix strings.
5. The method as recited in claim 4 , further comprising analyzing a plurality of the enhanced flow records stored in the flow record repository according to a user specified criteria.
6. The method as recited in claim 1 , further comprising analyzing a plurality of the enhanced flow records stored in the flow record repository to identify one or more domain names associated with sources of network traffic growth.
7. The method as recited in claim 5 , wherein the user specified criteria is associated with a user-specified collection of network resources or services.
8. The method as recited in claim 1 , wherein the enhanced flow record is distributed to one or more network devices identified in a distribution list.
9. The method as recited in claim 5 , wherein analyzing the plurality of the enhanced flow records further comprises aggregating two or more of the enhanced flow records based on one or more domain name suffix strings.
10. A computer network monitoring system coupled to a monitored network comprising a plurality of network devices comprising: a database for storing domain name system (DNS) information; and one or more network monitoring devices communicatively coupled to the monitored network and to the database, at least one network monitoring device including: i. a flow analysis engine configured to receive standard flow records from network devices and identify map domain name information to source and destination address information contained in received standard flow records; ii. an enhanced flow reporting engine coupled to graphical user interface (gui) for providing user selectable reporting criteria; iii. an encoding and distribution engine for encoding the received standard flow records with the identified map domain information; and iv. a distribution list database for identifying entries that will received the encoded flow records; wherein the one or more network monitoring devices are configured and operable to: receive a flow record, the flow record including initial network flow information in a flow record format comprising at least a source address and a destination address; retrieve domain name information associated with each of the source address and destination address from the database; retrieving information responsive to the user selected set of flow criteria including identifying network traffic growth of at least one identified domain over a specified time period; encode the domain name information and retrieved information responsive to the selected set of flow criteria in the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
11. The monitoring system as recited in claim 10 , wherein the enhanced flow record is a flow record following customized Netflow format.
12. The monitoring system as recited in claim 10 , further comprising a user interface communicatively coupled to the one or more monitoring devices, the user interface configured to obtain traffic analysis criteria from a user.
13. The monitoring system as recited in claim 12 , wherein the domain name information includes a domain name suffix string and wherein the one or more network monitoring devices configured and operable to retrieve the domain name information are further configured and operable to filter the retrieved domain name information based on one or more domain name suffix strings.
14. The monitoring system as recited in claim 13 , wherein the one or more network monitoring devices are further configured and operable to analyze a plurality of the enhanced flow records stored in the flow record repository according to the traffic analysis criteria.
15. The monitoring system as recited in claim 10 , wherein the one or more network monitoring devices are further configured and operable to analyze a plurality of the enhanced flow records stored in the flow record repository to identify one or more domain names associated with sources of network traffic growth.
16. The monitoring system as recited in claim 14 , wherein the traffic analysis criteria is associated with a user-specified collection of network resources or services.
17. The monitoring system as recited in claim 10 , wherein the one or more network monitoring devices are further configured and operable to periodically distribute an annotated flow template defining a plurality of fields comprising the enhanced flow record.
18. The monitoring system as recited in claim 14 , wherein the one or more network monitoring devices configured and operable to analyze the plurality of the enhanced flow records are further configured and operable to aggregate two or more of the enhanced flow records based on one or more domain name suffix strings.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 9, 2016
January 26, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.